Yet Another Data Security Challenge: Protection of Biometric Data

August 17, 2015

fingerprint phoneOn a virtually daily basis, the headlines identify another data security risk or challenge.  Among the most recently identified data security concerns is the problem of securing personal biometric data, fingerprints for example, from unauthorized access and use.  In many ways, biometric data are the most sensitive of all personal data, and recent revelations that such data are all too frequently left inadequately protected raise important legal and public policy concerns.

The shortcomings of passwords and other traditional computer and communications access controls are extremely well-known.  Aggressive efforts have been underway for years to implement computer access controls that are more secure and effective than passwords.  Among the most promising of the next generation of access controls are biometric data, including fingerprints and eye scans.

Advances in scanning and imaging technologies make it feasible to make broader use of biometric access controls.  Those controls are now routinely available on a wide range of devices, including smartphones and other consumer equipment.  There is every reason to expect that biometric access systems will become even more pervasive in the near future.

Recent studies suggest, however, that some of the biometric access systems are seriously flawed, from a data security perspective.  Those systems all too frequently seem to leave fingerprints and other personal biometric data vulnerable to unauthorized access and collection.  This security risk is of profound significance.  It is bad enough if a password is stolen, but if an individual’s fingerprints are taken, the consequences can be devastating.

Computer security company, FireEye reported that the fingerprint access systems used by some smartphones made by HTC appeared to be vulnerable to unauthorized access.  FireEye alleged that, it was possible to load apps on those devices that would harvest fingerprint data each time the print was used to access the device. In this way, the fingerprint data could be continuously refined and improved as more data were captured.

When a password is stolen, it is a simple process to create a new password.  When fingerprint or other biometric data are stolen, there is no way to change the compromised material.  Once an individual’s biometric data are captured, that individual’s identify has been truly compromised.

The specific biometric security flaw identified by FireEye has, with the assistance of that company, been addressed.  Yet the lessons offered by this security breach should be absorbed fully, particularly as more and more devices make use of biometric access systems.

Biometric data should receive the highest level of security protection, at all times.  Organizations that collect, store, distribute or process biometric data should recognize the serious legal risks that they face.  Of all of the available personal data, biometric data are perhaps the most sensitive.  All parties involved in use of that data must recognize that they face substantial potential legal liability as a result of the highly sensitive nature of the data, and they should structure their security strategies, policies, and practices accordingly.